Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

[dave14305]

@Martineau - I see you're busy WireGuard-ing, but have you seen this ?
Are we good?

BIND is not Unbound.

 

[SomeWhereOverTheRainBow]

@Martineau - I see you're busy WireGuard-ing, but have you seen this ?
Are we good?

This specifically relates to out dated bind servers. Unbound is kept pretty well up to date as it relates to security concerns.

 

[Mathieu]

Hello
Anyone knows cases where Unbound might take precedence over VPN client DNS rules (set to Strict/Exclusive)?
That is, would the Open VPN DNS rules still be enforced for relevant clients where Unbound is the default DNS resolver?
Is that were the case, should specific rules be specified by way of user script? Any lead?

Thanks.

 

[chongnt]

Hello
Anyone knows cases where Unbound might take precedence over VPN client DNS rules (set to Strict/Exclusive)?
That is, would the Open VPN DNS rules still be enforced for relevant clients where Unbound is the default DNS resolver?
Is that were the case, should specific rules be specified by way of user script? Any lead?

Thanks.

In my configuration, I set accept DNS configuration to disabled in VPN client. In this setup, VPN client still use unbound which is what I wanted. I have tried other strict and exclusive before but I couldn't remember exactly what's the behavior. Did you get your desired DNS resolver to work? I can test it out for you on my device.
Edit: I just did a quick test. With strict, my pc still resolve with unbound. With exclusive, my pc resolve using VPN DNS. All these is done with DNS filter set to router.

 

[Mathieu]

In my configuration, I set accept DNS configuration to disabled in VPN client. In this setup, VPN client still use unbound which is what I wanted. I have tried other strict and exclusive before but I couldn't remember exactly what's the behavior. Did you get your desired DNS resolver to work? I can test it out for you on my device.
Edit: I just did a quick test. With strict, my pc still resolve with unbound. With exclusive, my pc resolve using VPN DNS. All these is done with DNS filter set to router.

Thank you
My intentions are probably different from yours, as I would like all clients to resolve through Unbound, save for those devices specifically routed through the tunnel.
I found with a prior setup that using VPN / Relaxed DNS config would result in TLS handshake errors. I assume that was because of 'inconsistency' between the VPN-assigned IP address and the Unbound DNS.
I will try the setup per your Edit and see if Unbound and VPN DNS can coexist peacefully.
Cheers

 

[DocUmibozu]

Any news about this?

Jitterentropy-Rngd high CPU use

Recently updated my RT-AC88U to 386.2.4 . Since, I have seen very high CPU usage from the jitterentropy-rngd daemon, somtimes as high as 80% getting close to maxing out both cores. On a positive note this is not consistent. It waxes and wanes with usage increases when WAN throughput is higher...

www.snbforums.com

It seems that haveged is deprecated....

 

[SomeWhereOverTheRainBow]

Any news about this?

Jitterentropy-Rngd high CPU use

Recently updated my RT-AC88U to 386.2.4 . Since, I have seen very high CPU usage from the jitterentropy-rngd daemon, somtimes as high as 80% getting close to maxing out both cores. On a positive note this is not consistent. It waxes and wanes with usage increases when WAN throughput is higher...

www.snbforums.com

It seems that haveged is deprecated....

That is assuming that haveged is the cause of the issue with Jitterentropy-rngd. that user just stated they had jitterentropy-rngd causing high cpu spikes. nothing actually showing haveged causing the problem.

 

[DocUmibozu]

That is assuming that haveged is the cause of the issue with Jitterentropy-rngd. that user just stated they had jitterentropy-rngd causing high cpu spikes. nothing actually showing haveged causing the problem.

Sorry but you totally missed the point.
In the thread Merlin said to inform scripts developers to remove haveged from the scripts, because jitterentropy does the same thing.
See post #9 in the thread I mentioned...

 

[DocUmibozu]

Anyway I disabled haveged in init.d and unbound seems to work without problems...

 

[SomeWhereOverTheRainBow]

Sorry but you totally missed the point.
In the thread Merlin said to inform scripts developers to remove haveged from the scripts, because jitterentropy does the same thing.
See post #9 in the thread I mentioned...

I get what you are saying , but I would leave it until it is determined there is not some underlying issue with jitterentropy-rngd. As you can see from that OP , the issue was still open as to why that user had cpu spikes. It brings in to question the full effectiveness of jitterentropy-rngd on some model routers.

 

[New2This]

Unbound, meaning my router, is my DNS, and if it can't serve the IP that's queried, it goes to the Auth servers maintained by iCANN (just like CF, Google etc).
that's assuming unbound is up and running - if for some reason it hasn't launched in a reboot or otherwise fails, I've pointed my router to Canadian Shield (i'm within that jurisdiction), with CF as a backup in case they're down. surely at some point my ISP sees some of this (CF may be under the same roof as my ISP's servers), but for the hopefully brief moments of time that this might be the case, I'm surely not transmitting/receiving anything on my network's end that could be compromising.

I have my unbound traffic running through my VPN

 

[TonyK132]

I did an auto-Reboot at 3am this morning, but when I looked at the Unbound stats, it had not restarted at that time. I did a Refresh stats from the GUI and that got the stats going again. I did not think to check from AMTM if Unbound was running.

Update: I just checked amtm, and Unbound says its been running for 6+ hrs, which corresponds to the reboot, so only the stats did not start.

 

[heysoundude]

I'm having fairly regular power fluctuations in my area of late (as the grid learns to compensate for Air conditioners, I presume) and anytime it does, I lose the GUI for the addons I run. this is a problem since updating to v386 for me - If someone can point me in the direction of resolving this (other than a factory reset), I'd be very appreciative.

 

[SomeWhereOverTheRainBow]

I'm having fairly regular power fluctuations in my area of late (as the grid learns to compensate for Air conditioners, I presume) and anytime it does, I lose the GUI for the addons I run. this is a problem since updating to v386 for me - If someone can point me in the direction of resolving this (other than a factory reset), I'd be very appreciative.

Scheduled reboots during times you are not actively online may help alittle.

 

[gattaca]

Hi started playing around with ubound on my hot-spare router using 386.2_4. I did the AMTM install, diversion to get entware, then disabled diversion. Then I installed unbound by defaults. I did some prelim testing and no vids on YT would run. I removed ubound, rebooted the router and YT vids played fine. Any thoughts? Thanks.

 

[chongnt]

I'm having fairly regular power fluctuations in my area of late (as the grid learns to compensate for Air conditioners, I presume) and anytime it does, I lose the GUI for the addons I run. this is a problem since updating to v386 for me - If someone can point me in the direction of resolving this (other than a factory reset), I'd be very appreciative.

I used to add some delay in post-mount script before unbound but not anymore. Not sure if this will help.

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

Did unbound just had an update? I installed today and get version v3.22b6. It is pretty much just install and go, no more easy / advance mode to choose? I remember the last time I install couple of weeks ago there are so many options to choose and I was lost. I like this one better, install and...

www.snbforums.com

 

[TonyK132]

I thought I would post this here hoping for an answer.

I'm running unbound in addition to dnsmasq in Merlin 384_19. For this config, are the dnsmasq vulnerabilities in 384 an issue? I thought that for a dns query, dnsmasq resolves from its cache, but if not there, it goes to unbound, and that dnsmasq does not go out to the big, bad, internet itself. If that is right, then it's unbound's job to protect against the baddies not dnsmasq. Have I got that right? I'm using the default config files for unbound and dnsmasq.

 

[MatteoPV]

I have a question. On my router I am using practically all the addons present in AMTM. You use them all except x3mRouting, unbound, dnscrypt and pixelserv. I always use the VPN 24h and all my traffic goes through the VPN. In the past I had tried Unbound but it gave me DNS leak problems which could then be solved by passing all DNS requests in the VPN tunnel, I have scripts that I found here on the forum that solve the problem. The questions are these:

1) Should I also install Unbound even though I already have Diversion on board?

2) I am using the VPN_Failover script which restarts the VPN if the VPN tunnel fails. If I used Unbound with DNS requests routed in the VPN tunnel, in case VPN_Failover needs to restart the VPN, then would I have the DNS exposed or would everything be ok as before?

I ask these questions because if I install Unbound then it is not so easy to remove it from the router, the last time I had to do a factory reset

 

[archiel]

Following the updated versions of unbound added to entware

unbound-anchor - 1.13.1-2
unbound-checkconf - 1.13.1-2
unbound-control - 1.13.1-2
unbound-daemon - 1.13.1-2

the unbound script is to longer completing

[1626008669] unbound-control[29323:0] error: connect: Connection refused for 127.0.0.1 port 953
        'key-cache-size:'        (N/A)
[1626008669] unbound-control[29329:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29331:0] error: connect: Connection refused for 127.0.0.1 port 953
        'msg-cache-size:'        (N/A)  0% used         (N/A)
[1626008669] unbound-control[29346:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29348:0] error: connect: Connection refused for 127.0.0.1 port 953
        'rrset-cache-size:'      (N/A)  0% used         (N/A)

 

[netware5]

Following the updated versions of unbound added to entware

unbound-anchor - 1.13.1-2
unbound-checkconf - 1.13.1-2
unbound-control - 1.13.1-2
unbound-daemon - 1.13.1-2

the unbound script is to longer completing

[1626008669] unbound-control[29323:0] error: connect: Connection refused for 127.0.0.1 port 953
        'key-cache-size:'        (N/A)
[1626008669] unbound-control[29329:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29331:0] error: connect: Connection refused for 127.0.0.1 port 953
        'msg-cache-size:'        (N/A)  0% used         (N/A)
[1626008669] unbound-control[29346:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29348:0] error: connect: Connection refused for 127.0.0.1 port 953
        'rrset-cache-size:'      (N/A)  0% used         (N/A)

Seems to be we have again problems with Unbound after Entware upgrade. I will wait until the update of Unbound is available via amtm script.